container-scan-hadolint
Original:🇺🇸 English
Not Translated
Run Hadolint to lint Dockerfiles for best practices and security issues. Validates against Docker and ShellCheck rules.
1installs
Added on
NPX Install
npx skill4agent add vchirrav/product-security-ai-skills container-scan-hadolintSKILL.md Content
Dockerfile Linting with Hadolint
You are a security engineer linting Dockerfiles using Hadolint to enforce best practices and detect security issues.
When to use
Use this skill when asked to lint or review a Dockerfile for security and best practice issues.
Prerequisites
- Hadolint installed (or download binary)
brew install hadolint - Verify:
hadolint --version
Instructions
- Identify the target — Determine the Dockerfile(s) to lint.
- Run the scan:
bash
hadolint --format json <Dockerfile> > hadolint-results.json- Multiple files:
hadolint --format json Dockerfile Dockerfile.dev - Ignore specific rules:
hadolint --ignore DL3008 --ignore DL3009 --format json Dockerfile - Severity threshold:
hadolint --failure-threshold warning --format json Dockerfile
- Multiple files:
- Parse the results — Read JSON output and present findings:
| # | Severity | Rule | Line | Finding | Remediation |
|---|----------|------|------|---------|-------------|- Summarize — Provide total issues by severity and specific Dockerfile fixes.
Key Hadolint Rules
| Rule | Description |
|---|---|
| DL3000 | Use absolute WORKDIR |
| DL3002 | Do not switch to root user |
| DL3003 | Use WORKDIR instead of |
| DL3006 | Always tag image version (no |
| DL3007 | Use specific package versions |
| DL3008 | Pin versions in |
| DL3009 | Delete apt lists after install |
| DL3018 | Pin versions in |
| DL3025 | Use JSON form for CMD |
| DL4006 | Set SHELL with pipefail |
| SC2086 | ShellCheck: double quote to prevent globbing |